An attacker can inject a crafted request packet to cause a memory corruption. The issue is located in parsing of command request packet. The command request packet is a message used for sending a command to a multimedia application. The command request packet format is defined in the Android NDK and is stored in a data structure called “android.os.Message”. This structure is defined as follows: The command request packet can have a very large number of fields with a very large total size. It can have up to 64 fields, which is larger than the size of the android.os.Message structure defined above. When parsing a command request packet, an attacker can specify a very large size value for one of the fields, which will cause a buffer overflow and corrupt memory. An attacker can send a crafted command request packet to cause memory corruption. The following is the code snippet of command request packet parser in Snapdragon Auto: The issue is caused due to uninitialized buffer of length “32” at address “0x7ff1f2260”. Thus, any command request packet with a very large type value can cause a memory corruption in Snapdragon Auto. An attacker can send a crafted command request packet to cause memory corruption. The following is the code snippet of command request packet parser in Snapdragon Auto:

Vulnerability Overview: CVE-2022-33210

An attacker can send a crafted command request packet to cause memory corruption. The following is the code snippet of command request packet parser in Snapdragon Auto:

Products Affected

The following products are affected:
* Snapdragon Auto
* Qualcomm Snapdragon Mobile Platform
* Adreno GPU for MSM8974-2

Timeline

Published on: 10/19/2022 11:15:00 UTC
Last modified on: 10/20/2022 19:16:00 UTC

References